Bug 1919237
| Summary: | 8-byte-read-heap-use-after-free in find_pattern_in_path() when input craft vimscript file | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | 1vanChen <houyunsong> | ||||||
| Component: | vim | Assignee: | Red Hat Product Security <security-response-team> | ||||||
| Status: | CLOSED NOTABUG | QA Contact: | |||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | rawhide | CC: | gchamoul, mcascell, zdohnal | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | vim-8.2.2529-1.fc33 vim-8.2.2541-1.fc33 vim-8.2.2541-1.fc32 | Doc Type: | If docs needed, set a value | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2021-02-20 01:26:15 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Hi, thank you for reporting the issue! I'll pass the issue to security team and report it upstream. Created attachment 1750773 [details]
reduced poc file
Simplified sample is provided
Please refer to https://bugzilla.redhat.com/show_bug.cgi?id=1919212#c4. FEDORA-2021-164265f25a has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-164265f25a FEDORA-2021-01b3981cc5 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2021-01b3981cc5 FEDORA-2021-01b3981cc5 has been pushed to the Fedora 32 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-01b3981cc5` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-01b3981cc5 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-164265f25a has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-164265f25a` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-164265f25a See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-164265f25a has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2021-5be90ab004 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-5be90ab004 FEDORA-2021-fb090f432a has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2021-fb090f432a FEDORA-2021-fb090f432a has been pushed to the Fedora 32 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-fb090f432a` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-fb090f432a See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-5be90ab004 has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-5be90ab004` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-5be90ab004 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-5be90ab004 has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2021-fb090f432a has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report. |
Created attachment 1749743 [details] poc To Reproduce ```shell vim -u NONE -X -Z -e -s -S poc -c :qa! ``` Debug Info ```shell /src/vim# ASAN_OPTIONS=alloc_dealloc_mismatch=0:allocator_may_return_null=1:allocator_release_to_os_interval_ms=500:check_malloc_usable_size=0:detect_container_overflow=1:detect_odr_violation=0:detect_leaks=1:detect_stack_use_after_return=1:fast_unwind_on_fatal=0:handle_abort=1:handle_segv=1:handle_sigill=1:max_uar_stack_size_log=16:print_scariness=1:quarantine_size_mb=10:strict_memcmp=1:strict_string_check=1:strip_path_prefix=/workspace/:symbolize=1:use_sigaltstack=1 src/vim_asan -u NONE -X -Z -e -s -S /mnt/disk/out/vim/vim-fuzzer-out/SFeBCp/crashes/id:000036,sig:11,src:044477,op:havoc,rep:8 -c :qa! ================================================================= ==25097==ERROR: AddressSanitizer: heap-use-after-free on address 0x62500000f108 at pc 0x0000007fecea bp 0x7fffffffd650 sp 0x7fffffffd648 READ of size 8 at 0x62500000f108 thread T0 SCARINESS: 51 (8-byte-read-heap-use-after-free) #0 0x7fece9 in find_pattern_in_path /src/vim/src/search.c:3867:13 #1 0x5e7609 in ex_findpat /src/vim/src/ex_docmd.c:8379:2 #2 0x5e99ab in ex_psearch /src/vim/src/ex_docmd.c:8323:5 #3 0x5d277b in do_one_cmd /src/vim/src/ex_docmd.c:2588:2 #4 0x5cc8b8 in do_cmdline /src/vim/src/ex_docmd.c:1003:17 #5 0x7ec3ee in do_source /src/vim/src/scriptfile.c:1401:5 #6 0x7eb03d in cmd_source /src/vim/src/scriptfile.c:971:14 #7 0x7eaf1e in ex_source /src/vim/src/scriptfile.c:997:2 #8 0x5d277b in do_one_cmd /src/vim/src/ex_docmd.c:2588:2 #9 0x5cc8b8 in do_cmdline /src/vim/src/ex_docmd.c:1003:17 #10 0x5cf181 in do_cmdline_cmd /src/vim/src/ex_docmd.c:592:12 #11 0x9c0df7 in exe_commands /src/vim/src/main.c:3056:2 #12 0x9bfc44 in vim_main2 /src/vim/src/main.c:760:2 #13 0x9bd071 in main /src/vim/src/main.c:412:12 #14 0x7ffff6cba83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291 #15 0x41d768 in _start (/src/vim/src/vim_asan+0x41d768) 0x62500000f108 is located 8 bytes inside of 8736-byte region [0x62500000f100,0x625000011320) freed by thread T0 here: #0 0x49733d in free (/src/vim/src/vim_asan+0x49733d) #1 0x6cfd9b in vim_free /src/vim/src/misc2.c:1807:2 #2 0x4d1815 in apply_autocmds_group /src/vim/src/autocmd.c:2172:6 #3 0x4d363d in apply_autocmds /src/vim/src/autocmd.c:1621:12 #4 0x9522e8 in win_enter_ext /src/vim/src/window.c:4716:2 #5 0x94da28 in win_split_ins /src/vim/src/window.c:1329:5 #6 0x949216 in win_split /src/vim/src/window.c:817:12 #7 0x5c6835 in prepare_tagpreview /src/vim/src/ex_cmds.c:5082:10 #8 0x7fe008 in find_pattern_in_path /src/vim/src/search.c:3852:4 #9 0x5e7609 in ex_findpat /src/vim/src/ex_docmd.c:8379:2 #10 0x5e99ab in ex_psearch /src/vim/src/ex_docmd.c:8323:5 #11 0x5d277b in do_one_cmd /src/vim/src/ex_docmd.c:2588:2 #12 0x5cc8b8 in do_cmdline /src/vim/src/ex_docmd.c:1003:17 #13 0x7ec3ee in do_source /src/vim/src/scriptfile.c:1401:5 #14 0x7eb03d in cmd_source /src/vim/src/scriptfile.c:971:14 #15 0x7eaf1e in ex_source /src/vim/src/scriptfile.c:997:2 #16 0x5d277b in do_one_cmd /src/vim/src/ex_docmd.c:2588:2 #17 0x5cc8b8 in do_cmdline /src/vim/src/ex_docmd.c:1003:17 #18 0x5cf181 in do_cmdline_cmd /src/vim/src/ex_docmd.c:592:12 #19 0x9c0df7 in exe_commands /src/vim/src/main.c:3056:2 #20 0x9bfc44 in vim_main2 /src/vim/src/main.c:760:2 #21 0x9bd071 in main /src/vim/src/main.c:412:12 #22 0x7ffff6cba83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291 previously allocated by thread T0 here: #0 0x4975bd in malloc (/src/vim/src/vim_asan+0x4975bd) #1 0x6ce307 in lalloc /src/vim/src/misc2.c:925:11 #2 0x6ce423 in alloc_clear /src/vim/src/misc2.c:852:9 #3 0x94efa9 in win_alloc /src/vim/src/window.c:4892:14 #4 0x94cdac in win_split_ins /src/vim/src/window.c #5 0x949216 in win_split /src/vim/src/window.c:817:12 #6 0x4c9ebe in do_argfile /src/vim/src/arglist.c:662:10 #7 0x4c9c1d in ex_next /src/vim/src/arglist.c:727:2 #8 0x5d277b in do_one_cmd /src/vim/src/ex_docmd.c:2588:2 #9 0x5cc8b8 in do_cmdline /src/vim/src/ex_docmd.c:1003:17 #10 0x7ec3ee in do_source /src/vim/src/scriptfile.c:1401:5 #11 0x7eb03d in cmd_source /src/vim/src/scriptfile.c:971:14 #12 0x7eaf1e in ex_source /src/vim/src/scriptfile.c:997:2 #13 0x5d277b in do_one_cmd /src/vim/src/ex_docmd.c:2588:2 #14 0x5cc8b8 in do_cmdline /src/vim/src/ex_docmd.c:1003:17 #15 0x5cf181 in do_cmdline_cmd /src/vim/src/ex_docmd.c:592:12 #16 0x9c0df7 in exe_commands /src/vim/src/main.c:3056:2 #17 0x9bfc44 in vim_main2 /src/vim/src/main.c:760:2 #18 0x9bd071 in main /src/vim/src/main.c:412:12 #19 0x7ffff6cba83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291 SUMMARY: AddressSanitizer: heap-use-after-free /src/vim/src/search.c:3867:13 in find_pattern_in_path Shadow bytes around the buggy address: 0x0c4a7fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c4a7fff9e20: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c4a7fff9e30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c4a7fff9e40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c4a7fff9e50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c4a7fff9e60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c4a7fff9e70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==25097==ABORTING ``` After releasing the global variable curwin in prepare_tagpreview , it is referenced on line 3867. ```c //src/search.c L3847 #if defined(FEAT_QUICKFIX) // ":psearch" uses the preview window if (g_do_tagpreview != 0) { curwin_save = curwin; prepare_tagpreview(TRUE, TRUE, FALSE); ^^^^^^^^^^^^^^^^^^ } #endif if (action == ACTION_SPLIT) { if (win_split(0, 0) == FAIL) break; RESET_BINDING(curwin); } if (depth == -1) { // match in current file #if defined(FEAT_QUICKFIX) if (g_do_tagpreview != 0) { if (!GETFILE_SUCCESS(getfile( curwin_save->w_buffer->b_fnum, NULL, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ NULL, TRUE, lnum, FALSE))) break; // failed to jump to file } else ``` Environment: - version : commit e2edc2ed4a9a229870b1e1811b0ecf045b84e429 - OS: Ubuntu 16.04 Additional context compile argument: ```shell #!/bin/bash -eux export CC="clang-11" export CXX="clang-11++" export LDFLAGS="-fsanitize=address" export CFLAGS="-O1 -g -fsanitize=address -fno-omit-frame-pointer" export CXXFLAGS="-O1 -g -fsanitize=address -fno-omit-frame-pointer" cd /src/vim/ && ./configure --with-features=huge --enable-gui=none && make ``` Credit: 1vanChen of NSFOCUS Security Team